Privacy Policy

Introduction

Miskolczi Alex József sole trader (6440 Jánoshalma, Homok utca 8, tax number: 55638344-1-23, registration/record number: 54347207) (hereinafter: Service Provider, Controller) subjects himself to the following policy:

In accordance with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), the following information is provided.

This privacy policy governs the data processing of the following websites/mobile applications: https://combatprint.hu/

The privacy notice is available at the following page: https://combatprint.hu/en/privacy-policy/

Amendments to the policy shall enter into force upon publication at the above address.

The data controller and contact details

Name: Miskolczi Alex József sole trader

Registered office: 6440, Jánoshalma, Homok utca 8

E-mail: info@combatprint.hu

Phone: +36302745747

Definitions

1. “personal data”: means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. “processing”: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3. “controller”: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
4. “processor”: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
5. “recipient”: means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
6. “consent” of the data subject: means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
7. “personal data breach”: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
8. “profiling”: means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Principles relating to processing of personal data

Personal data shall be:

1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

The Data Controller declares that its data processing is carried out in accordance with the principles set forth in this section.

Data processing related to the operation of the webshop / use of the service

1. The fact of data collection, the scope of processed data, and the purpose of data processing:

Personal data	Purpose of data processing	Legal basis
Username	Identification, enabling registration.	Point (a) of Article 6(1) of the GDPR.
Password	Serves the secure login into the user account.
First name and last name	Necessary for contacting, making purchases, issuing a compliant invoice, and exercising the right of withdrawal.	Point (b) of Article 6(1) of the GDPR.
Email address	Maintaining contact.
Phone number	Maintaining contact, more efficient coordination of questions related to billing or shipping.
Billing name and address	Issuing a compliant invoice, as well as concluding the contract, defining its content, modifying it, monitoring its performance, billing the fees arising from it, and enforcing related claims.	Point (c) of Article 6(1) of the GDPR The legal obligation is Section 169(2) of Act C of 2000 on Accounting)
Shipping name and address	Enabling home delivery.	Point (b) of Article 6(1) of the GDPR.
Date and time of purchase/registration	Execution of a technical operation.	Section 13/A(3) of Act CVIII of 2001 on Electronic Commerce Services (E-Commerce Act).
IP address at the time of purchase/registration	Execution of a technical operation.

2. Scope of data subjects: All data subjects registered/purchasing on the webshop website. It is not required for either the username or the email address to contain personal data.

3. Duration of data processing, deadline for the erasure of data: If any of the conditions set forth in Article 17(1) of the GDPR are met, it lasts until the data subject’s request for erasure. Based on Article 19 of the GDPR, the data controller shall inform the data subject electronically of the erasure of any personal data provided by the data subject. If the data subject’s request for erasure also extends to the email address provided by them, the data controller shall also erase the email address following the provision of information. Except in the case of accounting documents, since these data must be retained for 8 years pursuant to Section 169(2) of Act C of 2000 on Accounting. The contractual data of the data subject may be erased upon the data subject’s request for erasure after the expiry of the civil law statute of limitations.

Accounting documents directly and indirectly supporting the bookkeeping (including general ledger accounts, analytical and detailed records) must be retained in a legible form for at least 8 years, in a manner that allows retrieval based on the references of the accounting records.

4. Identity of potential data controllers entitled to access the data, recipients of personal data: Personal data may be processed by the data controller and its authorized employees, in compliance with the principles set forth above.

5. Description of the data subjects’ rights regarding data processing:

• The data subject may request from the data controller access to, rectification or erasure of personal data concerning him or her, or restriction of processing, and
• the data subject has the right to data portability, as well as the right to withdraw consent at any time.

6. The data subject may initiate access to, erasure, modification, or restriction of processing of personal data, as well as data portability, in the following ways:

• by post at the address: 6440 Jánoshalma, Homok utca 8.,
• by email at the email address: info@combatprint.hu,
• by phone at the number: +36302745747.

7. Legal basis for data processing:

1. Point (b) of Article 6(1) of the GDPR,

2. Section 13/A(3) of Act CVIII of 2001 on Electronic Commerce Services and Information Society Services (hereinafter: E-Commerce Act):

For the purpose of providing the service, the service provider may process personal data that are technically indispensable for providing the service. If other conditions are equal, the service provider must choose and in all cases operate the means applied in the provision of information society services in such a manner that personal data are processed only if it is strictly necessary for the provision of the service and for the fulfillment of other purposes specified in this Act, but even in this case, only to the extent and for the duration necessary.

3. In the case of issuing invoices in compliance with accounting regulations, Point (c) of Article 6(1).

4. In the case of enforcing claims arising from the contract, 5 years pursuant to Section 6:22 of Act V of 2013 on the Civil Code.

6:22. Section [Limitation period]

(1) Unless otherwise provided by this Act, claims shall lapse after five years.

(2) The limitation period begins when the claim becomes due.

(3) An agreement to alter the limitation period must be contained in writing.

(4) An agreement excluding the limitation period is null and void.

8. Please be informed that

• data processing is necessary for the performance of a contract and for providing an offer.
• you are required to provide personal data so that we can fulfill your order.
• failure to provide data will result in the consequence that we are unable to process your order.

Management of Cookies

1. It is not necessary to request prior consent from data subjects for the use of so-called “password-protected session cookies”, “shopping cart cookies”, “security cookies”, “necessary cookies”, “functional cookies”, and “cookies responsible for managing website statistics”.

2. The fact of data processing, the scope of processed data: Unique identification number, dates, times.

3. Scope of data subjects: All data subjects visiting the website.

4. Purpose of data processing: Identification of users, tracking of visitors, ensuring customized operation.

5. Duration of data processing, deadline for the erasure of data:

Type of cookie	Legal basis for data processing	Privacy Policy duration
Session cookies or other cookies strictly necessary for the operation of the website	No data processing takes place through the use of the cookie.	The period lasting until the end of the respective visitor session, meaning it only remains on the computer until the browser is closed.
Statistical and marketing cookies	Point (a) of Article 6(1) of the GDPR	1 day – 2 years, in accordance with the cookie notice, or data processing lasts until the data subject’s consent is withdrawn.

6. Identity of potential data controllers entitled to access the data: Personal data may be accessed by the data controller.

7. Description of the data subjects’ rights regarding data processing: Data subjects have the option to delete cookies in the Tools/Settings menu of browsers, usually under the Privacy menu settings.

8. Most browsers used by our users allow configuring which cookies should be saved and enable (specific) cookies to be deleted again. If you restrict the saving of cookies on specific websites or do not allow third-party cookies, this may, under certain circumstances, lead to our website no longer being fully usable. You can find information below on how to customize cookie settings for common browsers:

Google Chrome (https://support.google.com/chrome/answer/95647?hl=hu)

Internet Explorer (https://support.microsoft.com/hu-hu/help/17442/windows-internet-explorer-delete-manage-cookies)

Firefox (https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn)

Safari (https://support.apple.com/hu-hu/guide/safari/sfri11471/mac)

Use of Google Ads conversion tracking

1. The Data Controller uses the online advertising program “Google Ads” and, within its framework, utilizes the Google conversion tracking service. Google conversion tracking is an analytics service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland).
2. When a User reaches a website via a Google advertisement, a cookie required for conversion tracking is placed on their computer. These cookies have limited validity and do not contain any personal data, so the User cannot be identified by them.
3. When the User browses certain pages of the website and the cookie has not yet expired, both Google and the Data Controller can see that the User clicked on the advertisement.
4. Each Google Ads customer receives a different cookie, so they cannot be tracked through the websites of Ads customers.
5. The information obtained with the help of conversion tracking cookies serves the purpose of generating conversion statistics for Ads customers who choose conversion tracking. In this way, customers are informed about the number of users who clicked on their advertisement and were redirected to the page tagged with a conversion tracking tag. However, they do not gain access to information that could identify any user.
6. If you do not wish to participate in conversion tracking, you can reject it by disabling the installation of cookies in your browser settings. Consequently, you will not be included in the conversion tracking statistics.
7. Based on Google Consent Mode v2, Google uses two new cookie types: ad_user_data and ad_personalization, which are based on the consent of the data subject and relate to the use and sharing of data. The ad_user_data cookie is used to provide consent for sending user data to Google for advertising purposes. The ad_personalization cookie regulates whether data can be used for ad personalization (e.g., remarketing). The Data Controller ensures that the appropriate consents are obtained or withdrawn via its cookie banner/panel. The withdrawal of consent shall not affect the lawfulness of data processing based on consent before its withdrawal.
8. Further information and Google’s privacy policy are available at the following page: https://policies.google.com/privacy

Application of Google Analytics

1. This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses so-called “cookies”, which are text files saved on your computer, to help analyze the use of the website visited by the User.
2. The information generated by the cookies regarding the website used by the User is usually transmitted to and stored on a Google server in the USA. By activating IP anonymization on the website, Google truncates the User’s IP address within the Member States of the European Union or in other states party to the Agreement on the European Economic Area beforehand.
3. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and truncated there. On behalf of the operator of this website, Google will use this information to evaluate the User’s use of the website, to compile reports on website activity for the website operator, and to provide other services related to website and internet usage.
4. The IP address transmitted by the User’s browser within the framework of Google Analytics will not be merged with other data from Google. The User can prevent the storage of cookies by configuring their browser settings accordingly; however, please note that in this case, it may happen that not all functions of this website will be fully usable. You can also prevent Google from collecting and processing the data generated by cookies and related to the User’s use of the website (including the IP address) by downloading and installing the browser plugin available at the following link. https://tools.google.com/dlpage/gaoptout?hl=hu

Newsletter, DM (Direct Marketing) activity

1. In accordance with Section 6 of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activity, the User may give their prior and express consent to be contacted by the Service Provider with advertising offers and other mailings at the contact details provided upon registration.

2. Furthermore, keeping the provisions of this notice in mind, the Customer may consent to the Service Provider processing their personal data necessary for sending advertising offers.

3. The Service Provider does not send unsolicited advertising messages, and the User may unsubscribe from receiving offers free of charge, without any restriction or justification. In this case, the Service Provider shall erase all personal data required for sending advertising messages from its records and will no longer contact the User with advertising offers. The User can unsubscribe from advertisements by clicking on the link within the message.

4. The fact of data collection, the scope of processed data, and the purpose of data processing:

Personal data	Purpose of data processing	Legal basis
Name, email address.	Identification, enabling subscription to the newsletter/discount coupons.	Consent of the data subject, Point (a) of Article 6(1) of the GDPR. Section 6(5) of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activity.
Date and time of subscription	Execution of a technical operation.
IP address at the time of subscription	Execution of a technical operation.

5. Scope of data subjects: All data subjects subscribing to the newsletter.

6. Purpose of data processing: Sending electronic messages containing advertisements (email, SMS, push notifications) to the data subject, providing information about current updates, products, promotions, new features, etc.

7. Duration of data processing, deadline for the erasure of data: Data processing lasts until the withdrawal of consent (unsubscribing, request for erasure by the data subject) or until the termination of the newsletter.

8. Identity of potential data controllers entitled to access the data, recipients of personal data: Personal data may be processed by the data controller, as well as its sales and marketing employees, in compliance with the principles set forth above.

9. Description of the data subjects’ rights regarding data processing:

• The data subject may request from the data controller access to, rectification or erasure of personal data concerning him or her, or restriction of processing, as well as
• may object to the processing of personal data concerning him or her, and
• the data subject has the right to data portability, as well as the right to withdraw consent at any time.

10. The data subject may initiate access to, erasure, modification, or restriction of processing of personal data, data portability, or their objection in the following ways:

• by post at the address: 6440 Jánoshalma, Homok utca 8.,
• by email at the email address: info@combatprint.hu,
• by phone at the number: +36302745747.

11. The data subject may unsubscribe from the newsletter at any time, free of charge.

12. Please be informed that

• data processing is based on your consent.
• you are required to provide personal data if you wish to receive newsletters from us.
• failure to provide data will result in the consequence that we are unable to send you newsletters.
• please be informed that you can withdraw your consent at any time by clicking on unsubscribe.
• the withdrawal of consent shall not affect the lawfulness of data processing based on consent before its withdrawal.

Complaint handling

1. The fact of data collection, the scope of processed data, and the purpose of data processing:

Personal data	Purpose of data processing	Legal basis
First name and last name	Identification, maintaining contact.	Point (c) of Article 6(1) of the GDPR. (the relevant legal obligation: Section 17/A(7) of Act CLV of 1997 on Consumer Protection)
Email address	Maintaining contact.
Phone number	Maintaining contact.
Billing name and address	Identification, handling of quality complaints, questions, and problems arising in connection with the ordered products/services.

2. Scope of data subjects: All data subjects purchasing on the website and making quality complaints or filing complaints.

3. Duration of data processing, deadline for the erasure of data: Copies of the minutes, transcripts, and the response given to the objection must be retained for 3 years pursuant to Section 17/A(7) of Act CLV of 1997 on Consumer Protection.

4. Identity of potential data controllers entitled to access the data, recipients of personal data: Personal data may be processed by the data controller and its authorized employees, in compliance with the principles set forth above.

5. Description of the data subjects’ rights regarding data processing:

• The data subject may request from the data controller access to, rectification or erasure of personal data concerning him or her, or restriction of processing, and
• the data subject has the right to data portability, as well as the right to withdraw consent at any time.

6. The data subject may initiate access to, erasure, modification, or restriction of processing of personal data, as well as data portability, in the following ways:

• by post at the address: 6440 Jánoshalma, Homok utca 8.,
• by email at the email address: info@combatprint.hu,
• by phone at the number: +36302745747.

7. Please be informed that

• the provision of personal data is based on a legal obligation.
• the processing of personal data is a precondition for concluding a contract.
• you are required to provide personal data so that we can handle your complaint.
• failure to provide data will result in the consequence that we are unable to handle your complaint received by us.

Recipients to whom personal data are disclosed

“recipient”: means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

1. Data processors (who carry out data processing on behalf of the data controller)

The data controller utilizes data processors for the purpose of facilitating its own data processing activities, as well as to fulfill its obligations under the contract concluded with the data subject or those imposed by legislation.

The data controller places great emphasis on utilizing only data processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of data subjects.

The data processor and any person acting under the authority of the data controller or the data processor, who has access to personal data, shall process the personal data contained in this policy exclusively in accordance with the instructions of the data controller.

The data controller is legally liable for the activities of the data processor. The data processor shall be liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to data processors, or where it has acted outside or contrary to the lawful instructions of the data controller.

The data processor has no substantive decision-making power regarding the processing of data.

The data controller may utilize a hosting provider as a data processor to provide the IT background, and a courier service to deliver the ordered products.

2. Specific data processors

Data processing activity	Name, address, contact information
Hosting Services	Hostinger International Ltd Székhelye: 61 Lordou Vironos str., 6023 Larnaca, Cyprus Postacíme: 61 Lordou Vironos str., 6023 Larnaca, Cyprus
Other data processors (e.g., online invoicing, web development, marketing)	Shipping aggregator: Kvikk.hu (Kvikk Logisztika Kft.) Registered office: 1118 Budapest, Kelenhegyi út 43. Email: info@kvikk.hu Online invoicing: Számlázz.hu (KBOSS.hu Kft.) Registered office: 1031 Budapest, Záhony utca 7. Email: info@szamlazz.hu

“third party”: means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

3. Data transfer to a third party

Third-party data controllers process the personal data provided by us in their own name, in accordance with their own privacy policies.

Activity of the data controller	Name, address, contact information
Shipping / Transport	Kvikk Logisztika Kft. (Kvikk.hu) Registered office: 1118 Budapest, Kelenhegyi út 43. Company registration number: 01-09-423527 Tax number: 32431713-2-43 Email: info@kvikk.hu Privacy Policy: https://kvikk.hu/adatvedelem (The Data Controller’s primary logistics partner, which receives and processes order data to organize shipping and transfers it to the following courier service chosen by the User.) Participating courier services (data transfer through the Kvikk.hu system, based on the User’s choice on the checkout page): 1. GLS General Logistics Systems Hungary Kft. Registered office: 2351 Alsónémedi, Európa u. 2. E-mail: info@gls-hungary.com Privacy Policy: https://gls-hungary.com/HU/hu/adatvedelmi-szabalyzat 2. MPL – Magyar Posta Zrt. Registered office: 1138 Budapest, Dunavirág utca 2-6. E-mail: ugyfelszolgalat@posta.hu Privacy Policy: https://www.posta.hu/adatkezelesi_tajekoztato 3. FOXPOST Zrt. Registered office: 3300 Eger, Maklári út 119. E-mail: info@foxpost.hu Privacy Policy: https://foxpost.hu/adatvedelem
Online payment	Stripe Technology Europe, Limited (Stripe) Registered office: The One Building, Lower Grand Canal Street, Dublin 2, Ireland Privacy Policy: https://stripe.com/en-ie/privacy

Social media sites

1. The fact of data collection, the scope of processed data: The name registered on Twitter/Pinterest/YouTube/Instagram/TikTok/LinkedIn etc. social media sites, and the user’s public profile picture.
2. Scope of data subjects: All data subjects who are registered on Twitter/Pinterest/YouTube/Instagram/TikTok/LinkedIn etc. social media sites and have “liked” the Service Provider’s social media page, or have contacted the Data Controller through the social media site.
3. Purpose of data collection: Sharing, “liking”, following, and promoting specific content elements, products, promotions of the website, or the website itself on social media sites.
4. Duration of data processing, deadline for the erasure of data, identity of potential data controllers entitled to access the data, and description of the data subjects’ rights regarding data processing: The data subject can obtain information about the source of the data, its processing, the method of transfer, and its legal basis on the respective social media site. The data processing takes place on the social media sites; therefore, the duration and method of data processing, as well as the possibilities for erasure and modification of data, are governed by the regulations of the respective social media site.
5. Legal basis for data processing: The data subject’s voluntary consent to the processing of their personal data on social media sites.

Facebook / Meta joint controllership

The Data Controller has a Facebook / Meta profile for its activities. Data processing for statistical purposes carried out on the Facebook social media site is a joint controllership between the Data Controller and Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, D2 Dublin, Ireland). Detailed information regarding the joint controllership agreement is provided in the Page Controller Addendum for Facebook Page Insights. The addendum is available at the following link: https://www.facebook.com/legal/terms/page_controller_addendum

The Data Controller communicates via private message on the social media site exclusively if you contact us there.

1. Categories of data subjects

• the data subject who is registered on the social media site and has “liked” the Data Controller’s profile page,
• the data subject who contacts the Data Controller via private message on the social media site.

2. Purpose of data processing

The purpose of data processing on the Facebook social media site is to share and promote the activities and services of the Data Controller. The Data Controller may use the data provided by the data subject in a private message to reply to the message; otherwise, the Data Controller does not collect or extract any data through social media sites.

3. Legal basis for data processing

Az adatkezelés a GDPR 6. cikk (1) bekezdés a) pontján alapul, az adatkezelés jogalapja az érintett hozzájárulása a személyes adatai kezeléséhez a Facebook közösségi oldalon.

4. Scope of processed data

• the registered name of the data subject,
• the public profile picture of the data subject user,
• other public data provided or shared by the data subject on the social media site

5. Source of processed personal data: The source of the processed data is the data subject.

6. Withdrawal of consent: You may withdraw your consent to data processing at any time, and you may delete your posts or comments. Data processing takes place through social media sites operated by third parties. If you withdraw your consent, the Data Controller will delete the conversation held with you. The withdrawal of consent shall not affect the lawfulness of data processing based on consent before its withdrawal.

The data subject may initiate access to, erasure, modification, or restriction of processing of personal data, as well as data portability, in the following ways:

• by post at the address: 6440 Jánoshalma, Homok utca 8.,
• by email at the email address: info@combatprint.hu,
• by phone at the number: +36 30 2745747.

7. Duration of data processing

• until the withdrawal of the data subject’s consent,
• in the event of an exchange of messages, 2 years.

8. Transfer, recipients, or categories of recipients of personal data: For the definition of recipient, see Article 4(9) of the GDPR. The Data Controller transfers the personal data of the Data Subject to state bodies and authorities—in particular courts, prosecution offices, investigating authorities, infringement authorities, and the National Authority for Data Protection and Freedom of Information—only in exceptional cases and based on a legal obligation.

9. Possible consequences of failure to provide data

In the event of failure to provide data, the data subject will not be able to obtain information about the Data Controller’s activities and services through the Facebook social media site, or send messages to the Data Controller via Facebook Messenger.

10. Automated decision-making (including profiling): Automated decision-making, including profiling, does not take place during data processing.

11. Joint controllership agreement concluded with Facebook Ireland Ltd.:

The Page Insights function displays aggregated data that helps understand how data subjects interact with the Facebook page. Facebook Ireland Limited (“Facebook Ireland”) and the Data Controller are joint controllers regarding the processing of insights data. The Page Insights Addendum defines the responsibilities of Facebook and the Data Controller concerning the processing of insights data. Facebook Ireland assumes primary responsibility under the GDPR for processing insights data and for complying with all applicable obligations under the GDPR regarding the processing of insights data. Furthermore, Facebook Ireland makes a summary of the Page Insights Addendum available to all data subjects. The Data Controller ensures that it has an appropriate legal basis under the GDPR for processing insights data, identifies the controller of the page, and complies with all other applicable legal obligations. Facebook Ireland has sole responsibility for the processing of personal data in connection with the Page Insights function, except for data falling within the scope of the Page Insights Addendum. The Page Insights Addendum does not grant the Data Controller the right to request the personal data of Facebook users processed by Facebook Ireland in connection with Facebook, including page insights data. The Data Controller may not act or provide responses on behalf of Facebook Ireland when fulfilling data protection requests.

Customer relations and other data processing

1. Should any questions or problems arise for the data subject while using the services of the data controller, they may contact the data controller via the methods provided on the website (phone, email, social media sites, etc.).
2. The Data Controller shall delete received emails, messages, and data provided via phone, Meta, etc., together with the interested party’s name and email address, as well as any other voluntarily provided personal data, no later than 2 years from the date of the communication of the data.
3. Information regarding data processing operations not listed in this notice will be provided at the time the data is collected.
4. In the event of an exceptional request from an authority, or a request from other bodies based on statutory authorization, the Service Provider is obliged to provide information, disclose or transfer data, and make documents available.
5. In these cases, the Service Provider shall disclose personal data to the requesting party—provided that the exact purpose and the scope of data have been indicated—only to the extent and in the amount strictly necessary to achieve the purpose of the request.

Rights of data subjects

1. Right of access

You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the information listed in the Regulation.

2. Right to rectification

You have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

3. Right to erasure

You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where specific conditions apply.

4. Right to be forgotten

Where the controller has made the personal data public and is obliged to erase the personal data, the controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

5. Right to restriction of processing

You have the right to obtain from the controller restriction of processing where one of the following applies:

• you contest the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
• you have objected to processing; in this case, the restriction applies for the period pending the verification whether the legitimate grounds of the data controller override your legitimate grounds.

6. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to a data controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided (…)

7. Right to object

In the case of data processing operations based on legitimate interests or the exercise of official authority as legal bases, you have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data (…), including profiling based on those provisions.

8. Objection in the case of direct marketing

Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to the processing of personal data for direct marketing purposes, the personal data shall no longer be processed for such purposes.

9. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

The previous paragraph shall not apply if the decision:

• is necessary for entering into, or the performance of, a contract between you and the data controller;
• is authorised by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
• is based on your explicit consent.

Deadline for action

The data controller shall provide information on action taken on the above requests to you without undue delay and in any event within 1 month of receipt of the request.

That period may be extended by 2 further months where necessary. The data controller shall inform you of any such extension within 1 month of receipt of the request, together with the reasons for the delay.

If the data controller does not take action on your request, it shall inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Security of data processing

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data controller and the data processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, inter alia, as appropriate:

1. the pseudonymisation and encryption of personal data;
2. ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
5. The processed data must be stored in such a way that unauthorized persons cannot access them. In the case of paper-based data carriers, this is achieved by establishing a system for physical storage and filing, and in the case of data processed in electronic form, by applying a central access management system.
6. The method of storing data using IT methods must be chosen in such a way that their erasure—also considering potentially different erasure deadlines—can be carried out upon expiry of the data erasure deadline, or if necessary for other reasons. The erasure must be irreversible.
7. Paper-based data carriers must be stripped of personal data using a paper shredder or by utilizing an external organization specialized in document destruction. In the case of electronic data carriers, physical destruction must be ensured in accordance with the rules on discarding electronic media, or, if necessary, through prior secure and irreversible erasure of the data.
8. The data controller takes the following specific data security measures:

To ensure the security of personal data processed on paper, the Service Provider applies the following measures (physical protection):

1. Placing the documents in a secure, well-lockable, dry room.
2. If personal data processed on paper are digitized, the rules applicable to digitally stored documents must be applied.
3. During their work, the employee of the Service Provider performing data processing may only leave the room where data processing takes place by locking away the data carriers entrusted to them or by locking the respective room.
4. Personal data may only be accessed by authorized persons, and third parties shall not have access to them.
5. The Service Provider’s building and rooms are equipped with fire protection and property security systems.

IT protection

1. Computers and mobile devices (other data carriers) used during data processing are the property of the Service Provider.
2. The computer system containing personal data used by the Service Provider is equipped with antivirus protection.
3. To ensure the security of digitally stored data, the Service Provider performs data backups and archiving.
4. The central server machine may only be accessed with appropriate authorization and exclusively by designated persons.
5. Data located on computers can only be accessed using a username and password.

Communication of a personal data breach to the data subject

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain at least the name and contact details of the data protection officer or other contact point where more information can be obtained; describe the likely consequences of the personal data breach; describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The communication to the data subject shall not be required if any of the following conditions are met:

• the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
• the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
• it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so.

Notification of a personal data breach to the supervisory authority

In the case of a personal data breach, the data controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification is not made within 72 hours, it shall be accompanied by reasons for the delay.

Review in the case of mandatory data processing

If the duration of mandatory data processing or the periodic review of its necessity is not determined by law, local government regulation, or a binding legal act of the European Union, the data controller shall review, at least every three years from the commencement of data processing, whether the processing of personal data processed by it, or by a data processor acting on its behalf or instructions, is necessary for the realization of the purpose of data processing.

The data controller shall document the circumstances and results of this review, retain this documentation for ten years following the completion of the review, and make it available to the National Authority for Data Protection and Freedom of Information (hereinafter: Authority) upon the Authority’s request.

Possibility to file a complaint

Complaints against any potential infringement by the data controller can be lodged with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information
1055 Budapest, Falk Miksa utca 9-11.
Mailing address: 1363 Budapest, P.O. Box 9.
Phone: +36-1-391-1400 Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu

Closing remarks

During the preparation of this notice, the following legislation was taken into account:

• REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation / GDPR);
• 2011. Act CXII of 2011 on the Right to Informational Self-Determination and on Freedom of Information (hereinafter: Info Act);
• 2001. Act CVIII of 2001 on Electronic Commerce Services and Information Society Services (especially Section 13/A);
• 2008. Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices against Consumers;
• 2008. Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activity (especially Section 6);
• 2005. Act XC of 2005 on Electronic Freedom of Information;
• 2003. Act C of 2003 on Electronic Communications (specifically Section 155);
• 16/2011. Opinion No. on the EASA/IAB Recommendation on Best Practice for Behavioural Advertising;
• Recommendation of the National Authority for Data Protection and Freedom of Information on the data protection requirements of prior information.